Fix missing Team API exceptions (#1058)

* Add require_team decorator to endpoints that request teams.
* Change status code for captain endpoints to return 403 instead of 400
selenium-screenshot-testing
Kevin Chung 2019-07-12 00:53:35 -04:00 committed by GitHub
parent f033f16490
commit b453125726
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 14 additions and 6 deletions

View File

@ -10,7 +10,7 @@ from CTFd.utils.decorators.visibility import (
check_score_visibility, check_score_visibility,
) )
from CTFd.utils.user import get_current_team, is_admin from CTFd.utils.user import get_current_team, is_admin
from CTFd.utils.decorators import authed_only, admins_only from CTFd.utils.decorators import authed_only, admins_only, require_team
import copy import copy
teams_namespace = Namespace("teams", description="Endpoint to retrieve Teams") teams_namespace = Namespace("teams", description="Endpoint to retrieve Teams")
@ -110,6 +110,7 @@ class TeamPublic(Resource):
@teams_namespace.param("team_id", "Current Team") @teams_namespace.param("team_id", "Current Team")
class TeamPrivate(Resource): class TeamPrivate(Resource):
@authed_only @authed_only
@require_team
def get(self): def get(self):
team = get_current_team() team = get_current_team()
response = TeamSchema(view="self").dump(team) response = TeamSchema(view="self").dump(team)
@ -120,6 +121,7 @@ class TeamPrivate(Resource):
return {"success": True, "data": response.data} return {"success": True, "data": response.data}
@authed_only @authed_only
@require_team
def patch(self): def patch(self):
team = get_current_team() team = get_current_team()
if team.captain_id != session["id"]: if team.captain_id != session["id"]:
@ -128,7 +130,7 @@ class TeamPrivate(Resource):
"success": False, "success": False,
"errors": {"": ["Only team captains can edit team information"]}, "errors": {"": ["Only team captains can edit team information"]},
}, },
400, 403,
) )
data = request.get_json() data = request.get_json()
@ -226,6 +228,7 @@ class TeamMembers(Resource):
@teams_namespace.route("/me/solves") @teams_namespace.route("/me/solves")
class TeamPrivateSolves(Resource): class TeamPrivateSolves(Resource):
@authed_only @authed_only
@require_team
def get(self): def get(self):
team = get_current_team() team = get_current_team()
solves = team.get_solves(admin=True) solves = team.get_solves(admin=True)
@ -243,6 +246,7 @@ class TeamPrivateSolves(Resource):
@teams_namespace.route("/me/fails") @teams_namespace.route("/me/fails")
class TeamPrivateFails(Resource): class TeamPrivateFails(Resource):
@authed_only @authed_only
@require_team
def get(self): def get(self):
team = get_current_team() team = get_current_team()
fails = team.get_fails(admin=True) fails = team.get_fails(admin=True)
@ -267,6 +271,7 @@ class TeamPrivateFails(Resource):
@teams_namespace.route("/me/awards") @teams_namespace.route("/me/awards")
class TeamPrivateAwards(Resource): class TeamPrivateAwards(Resource):
@authed_only @authed_only
@require_team
def get(self): def get(self):
team = get_current_team() team = get_current_team()
awards = team.get_awards(admin=True) awards = team.get_awards(admin=True)

View File

@ -118,6 +118,9 @@ def require_team(f):
if get_config("user_mode") == TEAMS_MODE: if get_config("user_mode") == TEAMS_MODE:
team = get_current_team() team = get_current_team()
if team is None: if team is None:
if request.content_type == "application/json":
abort(403)
else:
return redirect(url_for("teams.private", next=request.full_path)) return redirect(url_for("teams.private", next=request.full_path))
return f(*args, **kwargs) return f(*args, **kwargs)

View File

@ -106,7 +106,7 @@ def test_api_users_can_change_captain_on_self_team():
# I am not the captain # I am not the captain
with login_as_user(app, name="user2") as client: with login_as_user(app, name="user2") as client:
r = client.patch("/api/v1/teams/me", json={"captain_id": 3}) r = client.patch("/api/v1/teams/me", json={"captain_id": 3})
assert r.status_code == 400 assert r.status_code == 403
# Look at me, I'm the captain now # Look at me, I'm the captain now
with login_as_user(app, name="user1") as client: with login_as_user(app, name="user1") as client:

View File

@ -339,7 +339,7 @@ def test_api_team_patch_me_logged_in_user():
r = client.patch( r = client.patch(
"/api/v1/teams/me", json={"name": "team_name", "affiliation": "changed"} "/api/v1/teams/me", json={"name": "team_name", "affiliation": "changed"}
) )
assert r.status_code == 400 assert r.status_code == 403
destroy_ctfd(app) destroy_ctfd(app)
@ -640,7 +640,7 @@ def test_api_team_patch_password():
"/api/v1/teams/me", "/api/v1/teams/me",
json={"confirm": "password", "password": "new_password"}, json={"confirm": "password", "password": "new_password"},
) )
assert r.status_code == 400 assert r.status_code == 403
assert r.get_json() == { assert r.get_json() == {
"errors": {"": ["Only team captains can edit team information"]}, "errors": {"": ["Only team captains can edit team information"]},